March 28, 2024 at 12:38PM
Cisco has released recommendations to address password-spraying attacks targeting Remote Access VPN services on Cisco Secure Firewall devices, which are believed to be part of reconnaissance activity. The company suggests indicators of compromise for detection and blocking, such as abnormal authentication requests and inability to establish VPN connections. Security researcher Aaron Martin suspects the involvement of an undocumented malware botnet named ‘Brutus,’ which uses specific attack methods and has connections to APT29.
Summary of Meeting Notes:
– Cisco has observed password-spraying attacks targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices, as well as other remote access VPN services.
– These attacks appear to be part of reconnaissance activity and involve adversaries trying the same password with multiple accounts to log in.
– Cisco has provided a mitigation guide with indicators of compromise (IoCs) to help detect and block the attacks, including issues with VPN connections and authentication request logs.
– Recommendations to defend against these attacks include enabling logging to a remote syslog server, securing default remote access VPN profiles, leveraging TCP shun to block malicious IPs, configuring control-plane ACLs, and using certificate-based authentication for RAVPN.
– Security researcher Aaron Martin has identified the activity as likely coming from an undocumented malware botnet named ‘Brutus.’ The botnet relies on 20,000 worldwide IP addresses and initially targeted SSLVPN appliances from various vendors. The attacks have expanded to include web apps using Active Directory.
– Brutus rotates its IPs every six attempts and uses specific non-disclosed usernames, raising concerns about how these usernames were obtained and indicating a potential undisclosed breach or exploitation of a zero-day vulnerability.
– While the operators of Brutus are unknown, two IPs associated with past activities of APT29 (Russian espionage threat group) have been identified.
Let me know if you need any further information or clarification!